preauth mechanism functioning at the client-side
Tim.Alsop at CyberSafe.Com
Mon Aug 13 13:43:40 EDT 2007
You may remember that I replied to your last email, showing you the
output from our software, which already supports RSA SecurID, VASCO
Digipass and Secure Computing SafeWord tokens. To implement this we have
support in our client software to handle hardware authentication
pre-auth type. This is so that the client can ask the user for the
information from the token + pin (if applicable). Without any client
code changes the client is only aware of how to ask for a principal name
Also, when you select a pre-auth type, please check the RFCs in case of
a conflict with other pre-auth types that are known.
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf
Of Gopal Paliwal
Sent: 13 August 2007 18:23
To: krbdev at mit.edu
Subject: preauth mechanism functioning at the client-side
I am implementing a OTP support mechanism in existing kerberos 1.6.1.
Till now, i have done the server changes and the AS_REP contains one
required timestamp as OTP one. I wish to know, will the existing client
able to send 2 preauth sequences (one is pa_enc_timestamp) and the other
is my declared preauth-using OTP.
Or the client just sends any-one of the asked preauth type.
I see that the server would able to support more than one preauth-type
by the client by making it verify each preauth type in a loop but i am
sure about how the client behaves in sending multi-preauth types.
I debugged the client code and I could make out that the client gets my
created preauth mechanism as hint but still it selects enc_time-stamp as
default one to reply back. The number I chose for my preauth type is 32.
krbdev mailing list krbdev at mit.edu
More information about the krbdev